We are undergoing a technological revolution that is unlike anything we have experienced before. The speed of the disruption to almost every industry is not easy to anticipate yet we see evidence of the impact everywhere. It is changing the way we live and work – and Covid-19 is likely to accelerate this digitization. Digital transformation, and with it the focus on big data analytics and the adoption of evolving technologies like IoT, cloud computing and AI, is making every business a data business. For any organisation, data will likely become the air you breathe. This article aims to offer senior executives and legal, risk, governance and compliance stakeholders practical guidance on how to consider approaching a fundamental element of any successful digital transformation journey, namely good data governance and data protection.
Whether you have already started the journey or not, you must take the opportunity to leverage the lessons of those who have faced the challenges already, particularly those organisations who have sought to implement programs for the EU’s General Data Protection Regulation (GDPR). Programs created with the sole purpose of becoming a compliance mechanism to mitigate enforcement risks will rarely “come to life”. Besides operationalisation challenges, like failures to successfully implement well-intended policies and controls, organisations will likely miss out on the opportunity to accelerate their digital transformation journey, maximise the value of data, differentiate themselves from key competitors and ultimately build customer trust.
The Changing Data Protection Landscape
The data protection and privacy regulation landscapes are rapidly evolving as the global impact of the EU’s GDPR becomes more ubiquitous. Countries in developed and emerging markets are updating laws and regulations to enhance the digital security of their citizens, and in many cases, such as the United Arab Emirates and Egypt in my region, seeking to establish national data protection laws for the first time.
Covid-19 added a new dimension. Certain countries have elected to temporarily press pause on their efforts to implement new laws to reduce the immediate burden on organisations during these extraordinarily challenging times. Others, in response to the clear increased risk to personal data triggered by the sudden acceleration of digital transformation efforts, including unplanned moves to remote working driven by sheer necessity, have chosen to mitigate the elevated risk of cyberattacks and data breaches by moving ahead with plans to implement data protection and privacy objectives. A recent example is Pakistan, who reacted by double-clicking on efforts to finalize the draft of their Personal Data Protection Bill, noting that the “privacy of personal data of an individual has become more relevant and important than ever before because of the increasing use of ICT services in (the) current pandemic.”
At this point, it would seem remiss of me not to mention the high-profile debate surrounding the use of surveillance by governments and technology companies to combat Covid-19. The privacy community is on high alert. Government officials are battling to balance public health and privacy concerns as they decide whether (and how) to introduce appropriate surveillance technologies. As we formulate suitable requirements and recommendations for the use of technologies that support objectives like contact tracing, how will governments and the technology companies presenting their surveillance infrastructure as a public health service for good, maintain the trust of citizens when trust in both governments and technology companies is at all all-time low. How quickly we forget where we stood on the issue of surveillance in January.
The Challenge for Data Protection Officers
Compliance with these GDPR-inspired data protection and privacy regulations is going to be challenging in many countries. This is because the leap for many countries from their current position to GDPR-inspired compliance is a significant one. As data protection officers (DPOs) are appointed for the first time in organisations across many new geographies, they will face internal organisational challenges and inertia. A combination of leadership, culture and ethics will become crucial to the success of any data protection and privacy program.
A recent survey by CPO Magazine on data protection and privacy officer priorities for 2020 found that the two greatest challenges an organisation will face to achieve an effective data protection and privacy program – based on the experience of DPOs – are obtaining sufficient resources or budget (27%) and working with various business functions (26%), particularly for organisations who are in the early and middle stages of setting up a data protection and privacy program. In addition, a key priority identified in the survey for 2020 is building a privacy-aware culture in an organisation. Both the challenges and priority are massively influenced by leadership and how leadership models culture and ethics.
Governance, Culture and Ethics
Organisations exist to achieve strategic or operational objectives. They accomplish these objectives using people, processes and technology to pursue opportunities. While doing so they need to overcome various challenges and uncertainty which in today’s word we commonly refer to as threats or risks. The increasing difficulty they face is that they need to do so by remaining within agreed boundaries, which are typically external laws and regulations. These laws and regulations are fast-evolving, increasingly complex to navigate and oftentimes burdensome and costly. We tend to think of this as compliance.
However, company objectives are also influenced by an organisation’s mission, vision and values, and the contractual obligations or public promises which flow from them. These are voluntary boundaries, which are driven by both external and internal factors and essentially become internal compliance requirements. They are not mandatory but they exist because organisations have agreed to implement policies and procedures because they might offer a competitive advantage, help build trust or a positive brand, or because the talent or customers they hope to acquire and keep in future increasingly care about particular issues. Sustainability or diversity and inclusion would be common examples.
OCEG, a non-profit think tank, uses the term principled performance, “where every organisation and every person strives to achieve objectives, address uncertainty and act with integrity” and where GRC (governance, risk, and compliance) is “a well-coordinated and integrated collection of all the capabilities necessary to support principled performance.” Most organisations, including Enron, WorldCom and their modern-day counterparts, will have had, or have, a publicly stated observance to values such as integrity and ethical behaviour. They would also mandate that leadership teams provide an appropriate example and tone from the top. But culture is not about words. It is about deeds. And more critically, no stakeholders’ deeds and actions influence organisational culture more positively – or negatively – than those of the senior leadership team. Employees notice what leadership teams do, not what they say.
That said, we also know that you can follow processes and be compliant, but still end up with unethical behaviour. History is filled with examples. Many legal and compliance community members continuously see good people do bad things. But leadership culture, specifically strong ethical and governance culture, helps guide an organisation and its employees (or representatives) in times where sound judgement or an ethical compass are required for unchartered waters or ambiguous circumstances. We live in that world now. Laws will always lag behind technology and compliance best practices will need to be developed, but what guides us as we figure out the ambiguity are timeless values like integrity and ethics. Consider the following scenario; how personal data might be collected today with informed and specific consent for the transformational AI projects in the years that follow. We are still figuring out appropriate processes and regulations, which is why values and ethics are essential.
A Data Protection and Privacy Program
Data governance and data protection is a component of any GRC program. It is a relatively small cost in GRC programs today, but it has enormous future implications. Organisations, customers and governments are increasingly concerned about privacy and security. This makes a good data governance strategy essential. We continually hear the cliché about data being the new oil. I would go further and suggest that data has in many ways become more than a natural resource; it has become a national resource. Besides philanthropic, commercial and protectionist drivers, this is also why we have privacy regulations being updated and governments enacting variations of data residency and data sovereignty regulations. Leadership teams of companies – like governments – need to appreciate that data now has incredible inherent value in this era of AI adoption, IoT and data analytics. This introduces rewards and risks to manage and makes the need to take responsibility for data governance self-evident.
An appropriate data protection and privacy program has become a necessity. It might be mandatory in your country, but if it is not, it soon will be. It could easily be placed into the category of voluntary compliance requirements which make good business sense to implement right away. As you think about technologies like AI and machine learning, have you designed and future-proofed a program with this in mind? Have you considered and designed the customer journey of your future business model and thought about when and how to interact with your customer to obtain their consent? Have you put in place policies and controls to protect and manage that data? Or are you really only thinking about compliance?
Having valuable data in future without consent to use it would seem imprudent from a leadership and governance perspective. At best.
The Role of Leadership and Culture
This takes me back to the challenges and priorities identified above when operationalising an effective data protection and privacy program:
- obtaining sufficient resources or budget,
- difficulties working with various business functions, and
- building a privacy-aware culture.
Leadership support has become critical if you want to develop an ethical, data-driven culture, address these challenges, focus on priorities and accelerate operational maturity. The potential benefits are not only a compliance program to mitigate the risk of a future legal or enforcement claim, but how you can then leverage data to achieve strategic digital transformation objectives, earn the trust of your customers and enhance your organisation’s reputation.
In summary, I would offer the following closing observations:
- Covid-19 is likely to accelerate digital transformation and impact the way we approach GRC (governance, risk, and compliance) in future,
- Digital transformation is fundamentally about leveraging new technologies, people, data (and I emphasise the word “data”) and processes to better engage customers and transform products and services,
- Good data governance and a pragmatic data protection program have become essential to the success of all organisations,
- Any data protection program should be about more than compliance. It should be designed and future-proofed to support the strategic objectives of the organisation,
- Leadership and culture will play a critical role in the establishment of a successful data protection program.